websh

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches arbitrary public URLs and user-generated sites (e.g., SKILL.md and the cd flow), iteratively reads and parses that HTML into .websh/cache/{slug}.parsed.md (state/cache.md and the Extraction Prompt), and then uses that parsed content to drive actions like eager prefetching and spawning fetch/extract tasks (state/crawl.md), so untrusted third‑party page content can materially influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill spawns background haiku agents that fetch and read remote pages (e.g., https://news.ycombinator.com) and feed the raw HTML into iterative extraction prompts, so runtime-fetched page content is injected into the model prompt and can directly influence agent behavior.